Malware in the phone? Google Search (Enhanced)

Final update: Brian from Lookout popped in to say this:

I’d like to thank everyone for this thread and keeping vigilant about our product. Unfortunately, we make mistakes sometimes but we work hard and fast to correct them. Fail fast goes the motto, as is embodied in this thread and, I’d like to believe, our response time.

We have just issued a new set of malware signatures which corrects for the false positive we previously reported. It will take a few hours for this new update to hit all phones but the propagation should be complete in less than 24 hours.

Sorry, again, for this mixup and we’re currently working on ways to ensure this doesn’t happen again.

Brian

And with that, that’s all folks; all-clear.

*

Update: See comments below for two reports of Lookout (the antivirus people) saying this was a false positive; no trojan, just an antivirus app jumping at shadows. Quote:

Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘GGSearch’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest.

*

So I was at the university, and my phone said — well, read — that I have a trojan: a Trojan.Android.FakeGGSearch.a, calling itself “Google Search (Enhanced)”, with a long and scary list of permissions. Lookout (my virus scanner thingy) gave a description: a scary one, with the sending of costly text messages, uninstalling virus scanners, sending my personal details to China (but I have Chinese friends!), etc., etc.

That workday was over right then.

Went home, and used laptop to change my Google password and my Twitter client’s access, and checked the bank account linked to the Google account (for Android Market) for sudden disappearances of money. (There were none; phew.) Tried to uninstall the bugger a few times; it would not be uninstalled.

Hit the phone in airplane mode in the meanwhile. A mere music player doesn’t send no details anywhere. (Sony Ericsson Xperia X10 Mini Pro, by the way.)

Then went to visit my phone operator’s midtown office. They said, politely, “Fuck off, we don’t help you with what paranoid third party apps say is or isn’t malware. Neither will the phone manufacturer if you send it to them. Now bugger off.”

I buggered off, took the SIM card and the memory card out, and googled, seeing a rash of cases similar to mine popping out in Germany, in Netherlands, all over the place, all as clueless as me. Someone more bold suggested this was Lookout mis-reacting.

Watching, giving my phone baleful glares, and looking how things will develop. (It’s about two hours since I noticed this; all but one of the discussions below have come into being since; all tell Lookout detected this, at about the same time apparently.) Will add links.

android-hilfe.de : Good discussion in German; raises the point that someone has had this app installed since April, and Lookout’s only now reacting to it (also, to old backups of it); false positive or better detection? They’re tending towards “false positive”, I think, and wondering if all affected devices have Android 2.1.

androidforums.com : Scared and clueless — and with a SE Xperia Mini, a phone that’s almost identical to mine. I wish the others affected would tell theirs; is this an accident, or something important? They say, “I just installed Avast, and scans from it find no problem. either it’s a false positive from Lookout, or really effective malware.”

kassa.vara.nl : Wondering, suggesting Lookout’s forums (Where there seems to be no hits); suggesting trying a different antivirus, and reporting difficulties installing one, which is bad.One person there has sent a question to Lookout; hope they answer quickly.

I’m waiting and seeing how the web-opinion develops before hitting the big reset button. Am “encouraged” to read all the alerts have come from Lookout; though this doesn’t need to mean this is a glitch; it could be an update that went out and found something nasty in a number of places.

Pfooey.

Will update whenever I notice something new.

Update (7 hours into the thing): nothing much to report. There’s a Japanese report of the same problem over on Yahoo.co.jp; like many other reports, it has Android 2.1 and Lookout, and suspects this is a problem with Lookout. (8 hours) Given how the reports are below and on the androidforums.com thread, I’m calling this a false positive that an update of Lookout will fix; further updates will go into the comments.

Share this:

Related

This entry was posted on August 9, 2012 at 12:55 and is filed under tangent. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

96 Responses to “Malware in the phone? Google Search (Enhanced)”

I just faced the same issue today. Lookout detected Trojan.Android.FakeGGSearch.a, calling itself “Google Search (Enhanced)”… blah blah. I googled and hit the same websites that you listed. Not of much help. I could not even uninstall the app. Then I found someone asking to try Settings -> Location & Security -> Select Device Administrator, in order to uninstall apps that do not uninstall in the normal fashion. But I realized my phone does not have “Select Device Administrator” in the Location & Security menu !!

Just got the same notification on my android. Scary! I cannot uninstall. Don’t know what to do. I did not install it on my phone. So how did it get there? I hate to erase phone of all data. Hope someone come up with a solution.

Yeah, I’m in the same boat as you fellas. I just received the notice from Lookout last night about the potential trojan within Google Search (Enhanced) app. I ended up deleting only the “Data” of the app, and not the app itself, as I also cannot remove the potential malware too. I have not rooted my phone, but I presume that if necessary that should give me full power to remove any app or system file I want, even if I accidentally delete the wrong thing!

I had the same problem this morning. Lookout gave me the option of uninstalling it but I am not even sure if it worked. Since so many of us have experienced this problem at approximately the same time I think it’s relatively safe to assume it’s a false positive; a glitch on the part of Lookout.

What the hell? I thought I was the only one who had this virus. Lookout does nothing, so I uninstalled it and got Avast’s mobile anti-virus. It can’t even detect it! You would think one of the best anti-viruses would detect a simple mobile virus. I think I have to reinstall Lookout.

I just installed lookout today and got the same notification about the Google Search (enhanced) trojan virus. Going to add my voice to the lookout website to try to get them to respond as to whether it is a legit threat.

So I uninstalled and reinstalled Lookout. It apparently can’t find the virus. So either the virus is buried into my phone and Lookout can’t find it, or Lookout has been updated. I’m figuring it’s the former. Now I’m getting a little paranoid.

here in the US, same thing happened to me this AM. Could not uninstall. Trying AVG for mobile, and uninstalled Lookout in case the two should interfere with each other. Lookout has got great reviews except for their support staff, so not expecting much help there…

i have the same issue, I thought it was something isolated but apparently, it seems to be more a glitch with Lookout if all of us have the same issue. I am going to try to contact lookout and just go from there.

Hmm. There’s an option on the Lookout settings where you can click “Safe Browsing” to “stay safe from phishing and malware” but when you click it it tells you you have to UPGRADE TO PREMIUM to use Safe Browsing. Dare I suggest this is an intentional false alarm…?

Hi. I came across this site in search of my sister having the same issue. It is my personal belief that this is a false positive. She as well uses lookout antivirus and the android 2.1 operating system. As to why you cannot uninstall this Google search (enhanced), it is an old update and the application itself is stock app that comes with the manufactured phones. My own suggestion is if your lookout hasn’t been updated recently try that. ReclusiveOne has stated they have updated their lookout and the problem was no longer showing as a threat. Sum to this I really do believe this to be a false positive.

Furthermore I’d like to state she hasn’t installed any updates to this app since she’s had the phone. As she told me, ‘I already have Google search. Why would I want another one?’ I hope this brings some of you comfort and that lookout and Google resolves this flag

Just adding my voice to the rest of yours. Same problem as the rest of you. All of us have Lookout, but I’m wondering if all of us have Sony Xperia too? ( I do). So far it seems that was the only phone mentioned. Any case opened a request with Lookout too. Maybe if we all do, they’ll respond faster?

Be careful Ugh, my brother works for NSA, he told me that iphones are being targeted a lot right now. Meaning, NSA works with all applications however, apple was the only one that decided not to do any business with NSA so, hackers have being targeting iphones a lot. Just recently, 1000s of at&t iphones were involved in a security breach. He said that Samsung Galaxy the new one was the most secured phone out there right now….just an observation my friend….

Hi I’m from India and I am facing the same problem. I was wondering if you’ve found any solution ? I’ve gone through all the links you’ve provided in your post and they’ve been a little useful. Thank you.

ok, i uninstalled it, reinstalled lookout and ran the application, i just got No malware or spyware found…. so i am not sure if i am good now or not…seems to be a glitch but seems to be ok now…not sure… you guys can try uninstalling it if you want…and let us know what you got…

Thanks for all the comments, everybody. I think that, based on that (a) several people have reported that updating/removing and re-installing Lookout makes the alert go away and not come back, and (b) other antivirus programs don’t find a problem, that this is probably a false positive, a problem with Lookout and not a real trojan.

Or it’s a real monster and Lookout is the only watchman awake; but that way lies paranoia.

I think I’ll keep watch over this for the rest of the evening (it’s 7 pm in Finland right now), and give a final update after midnight (in five hours’ time). And since I’m paranoid, I’m not turning my phone back on before that; I hope someone can get a comment from Lookout before that.

I got to google a bit; is it true, and is it significant, that every phone affected has Android 2.1 (possibly update 1), and no other versions show this problem?

I got the same warning this morning. I have updated my Lookout and am currently scanning the phone again. I think after it is done, I, too, will turn it off and wait for word from Lookout and/or Google.

Android 2.1 has about 4.2% of the market share of Android phones, because it’s Old. (In the world of phones, anything older than six months tends to be… but Old ain’t Bad.) Three of the phones listed above are, by my hasty research, phones released with 1.x Android and then later updated to 2.1, and to nothing after that. The fourth came with 2.1, and could be updated.

I don’t know whether this means anything; but I’m willing to bet it does.

Since I’m utterly nontechnical, I can easily imagine the good folks of Lookout didn’t fully investigate the behavior of their next-to-newest update on some old phones… and boom! But, happily, according to several commenters, there has been an update, since a re-installed/updated Lookout doesn’t find a problem.

Same problem spain, experia mini with android 2.1 and lookout anti virus. Checked on a couple of tablets, arnova with 2.1, cannot find an app called google search and a htc honeycomber flyer which has google search 1.3 a nd both seem fine. It’s got to be a false positive, but where the heck has it come from?

OK, so I got the same alert from lookout today which up to this morning has been excellent. First I was horrified, then scared then angry within the space of a few minutes. (Somehow Trojans, malware and viruses I only read about.. the sort of thing you just think only happen to other people)! Anyway, I turned off all internet connections, dashed to the nearest computer in search of any info on the said “google search (Enhanced)”..found some article on viruses/malware that seem to be like something out of a Nasa engineering blog! Then I stumbled on this post and realised, I’m not alone… phew! I can’t run other anti-virus for compatibility reasons obviously but having read the posts I tend to lean towards the “Lookout glitch” version. I have done a straight update on Lookout(without uninstal), signs are good, currently running full scan. I will recommended any bank accounts/info linked to google account to be checked. Will drop a post when scan is complete on outcome..

Anne-Cécile B.: Nah, this has been stress relief for me, too. Thanks for all the comments, all; multiple data points make life much easier. (And universities are open all year round, though nothing much happens this month or the previous. This is perfect for a graduate student that wants to do math before the mewling of undergraduates and the tromping of professorial feet distract him overmuch.)

Same problem. It happend today with lookout on Xperia X10 mini. Is it just lookout issue or is malware? Can I re-instal lookout or shoul´d I wait ?
BTW. It looks like wordwide issue, I am from Czech republic.

Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘GGSearch’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest.

The other thing that occurred to me… the fact that this happened to all of us on the same date does not mean it has to be a Lookout problem. Often malware has a ‘trigger date’. If this is a legitimate alert, the malware may have been installed and inactive on our phones for months.

I got this same flagged “Trojan” app from Lookout at about 2am CST on 09 August 2012. I’m located in Austin, Tx and am using an HTC Hero with android 2.1 — am not able to uninstall the app. I have not tried updating Lookout. I have the stock OS, and other than internet browsing and installing a few “trusted” applications from big name developers I have not manually downloaded anything suspicious that I am aware of (twitter, facebook,reddit, draw something, astro, official city bus stop info, slashdot, and fantasy baseball from espn app). I also have updated anything on this phone for about 3 months. Hoping this is just a Lookout malfunction, but wanted to give another data point to the discussion.

Brian, Aug 09 10:44 am (PDT):
Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘GGSearch’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest.

Just received this from Lookout support:
“I’m sorry for the confusion. Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘G.G.Search’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest.”

I received the same message as Mike from Lookout:
Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘GGSearch’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest. So everyone it was a mistake & it should b e fixed tonight.

I have Lookout & the same issues as of first thing this morning. I’ll try to uninstall & install but I find it weird that so many people that already had Google on their phone magically got another one.

I’m sorry for the confusion. Our latest set of malware detection signatures went out to our users last night (August 8, 2012). Unfortunately it misidentifies the app “Google Enhanced Search” as the trojan ‘GGSearch’. If you’ve received this warning please ignore it – we will be shipping a new set of detection signatures in the next 24 hours, at the latest.

I’d like to thank everyone for this thread and keeping vigilant about our product. Unfortunately, we make mistakes sometimes but we work hard and fast to correct them. Fail fast goes the motto, as is embodied in this thread and, I’d like to believe, our response time.

We have just issued a new set of malware signatures which corrects for the false positive we previously reported. It will take a few hours for this new update to hit all phones but the propagation should be complete in less than 24 hours.

Sorry, again, for this mixup and we’re currently working on ways to ensure this doesn’t happen again.

@Dianna – Please force a connection to our servers via the Lookout app on your phone by going into the settings of the app and changing the the scheduled time of your security scans or backup to a different hour. That will cause the phone to update our servers with the new time and will pull down the new malware signatures and should get rid of the malware notice.

Hi Brian…Thanks for the info; however I just took the phone off of charge and when I restarted it, it appears that all is good. Thanks much for your help. Rest well…cant imagine how stressful this has been for you~ All the Best!

This evening’s responses very comforting that others had same problem as me. I first noted this trojan alert last evening & freaked like everyone else. Deleted data/cleared cache, couldn’t remove Google search. VERY dissappointing that it was so hard to find answers last night. Also the thread on here was rather daunting, as it was if u didn’t have an answer, then don’t post! Tone seems to have changed now, & I appreciate hearing everyone’s experiences. I have an HTC Aria 2.1. Came home from work, today re-scanned with Lookout & no more trojan/glitch. Disagree with MOA in that I think there should have been notice from Lookout & headline on GOOGLE should have been LONG before this. Also, this points out how scary these aps are with their lengthy lists of how they can use your information. Ready to get rid of GOOGLE/HTC/LOOKOUT and go to another “smartphone”.
(Thank you MOA for having this discussion available)

I merely weren’t able to go away completely your web site previous to indicating we seriously beloved the regular data anyone deliver in the visitors? Will be destined to be just as before gradually to examine on brand-new articles